Exam AZ-204 topic 1 question 27 discussion

This is scenario questions. If backend is accepts HTTP(S) Then Basic AUTH or Certificate will work. so Certificate + Azure Resource NO https://www.youtube.com/watch?v=HQ0U7lwP93o

Hope don't find this question in my exam.

You are developing a solution for a public facing API. The API back end is hosted in an Azure App Service instance. You have implemented a RESTful service for the API back end. You must configure back-end authentication for the API Management service instance. Solution: You configure Client cert gateway credentials for the Azure resource. Does the solution meet the goal? Yes, the solution meets the goal. Configuring Client certificate gateway credentials for the Azure resource ensures secure back-end authentication for the API Management service instance. This method provides a robust way to authenticate and secure communication between the API Management gateway and the back-end service.

This works because the backend is not an HTTP endpoint, its an Azure resource. It also works because App Service doesn't support basic auth out of the box, and it is considerably less secure even if it did.

The answer should be No, the client certificate is typically used for mutual authentication between the client application and the APIM gateway after APIM uploads the client certificate.

Pasted this question into MS copilot and got this response The solution of configuring Client Certificate Gateway credentials for the HTTP(s) endpoint does not meet the goal. While client certificate authentication provides an additional layer of security, it is not the recommended approach for authenticating the API Management service instance with the back-end hosted in Azure App Service.

This is described on this page: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates#configure-an-api-to-use-client-certificate-for-gateway-authentication

The answer is; NO Configuring "Client cert gateway credentials" for the Azure resource suggests that you are configuring client certificate authentication for the API Management gateway itself when accessing Azure resources, but it may not necessarily secure the communication between API Management and the back-end Azure App Service.

One of the questions is for securing with Basic and the other with a client cert. Clearly MS is saying Basic = bad and client cert = good.

A. Yes The solution meets the goal of configuring back-end authentication for the API Management service instance. By configuring Client cert gateway credentials for the Azure resource, you can authenticate and secure the communication between the API Management gateway and the back-end service hosted in the Azure App Service instance. Client certificate authentication involves using X.509 client certificates to verify the identity of the client requesting access to the API Management gateway. This authentication method ensures that only clients with valid certificates can access the back-end service. By configuring Client cert gateway credentials, you establish a secure and authenticated connection between the API Management gateway and the Azure App Service instance, thereby meeting the requirement for back-end authentication.

Looks right

When client certificate authentication is used for the API Management gateway, a client must provide a client certificate in the header of each request to access the API. The client certificate is then validated by the gateway before forwarding the request to the back-end API. This can provide a high level of authentication and help prevent unauthorized access to the back-end API. Client certificate authentication is a more secure mechanism than Basic authentication, as it uses a secure communication channel and cryptographic keys to authenticate clients. Additionally, it provides better scalability, as it does not require the gateway to maintain a large number of user credentials.

Are the website answers the official ones? This is getting confusing!!!

Selected Answer: A -> yes as long as a certificate is used to can authenticate to the backend via "Custom URL" or "Azure resource" (Function App, Logic App, Web App)... in both cases you provide an URL to which the requests are forwared to. From the App Service side you should use HTTPS only or User/System Managed Identity to authenticate to the App Service. So that means, the only solutions for this scenario would be using a certificate for HTTP(s) endpoint and resources. https://learn.microsoft.com/en-us/azure/app-service/security-recommendations#identity-and-access-management https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates

B. No Configuring client cert gateway credentials for the Azure resource would not provide a suitable solution for back-end authentication for the public facing API. Client certificate authentication is based on the possession of a certificate and private key, which can be installed on the client device. However, this approach is not suitable for public facing APIs, as it requires the client to have a unique certificate, which is not easy to manage, and it's not a scalable solution for public facing APIs.

Azure Logic App and HTTP(S) Endpoint are the two choices on the portal page. Whenever the question is about using app service at the backend, and it talks about configuring auth for the "azure resource" instead of HTTP(S), it's an automatic NO.

mTLS is used for AuthZ, and not AuthN - is like presenting your ID to the policeman, but not giving him the house keys. So the answer is for sure NO!